A series of three rotors from an Enigma machine, used by Germany during World War II

In cryptography, a rotor machine is an electro-mechanical stream cipher device used for encrypting and decrypting secret messages. Rotor machines were the cryptographic state-of-the-art for a prominent period of history; they were in widespread use in the 1920s–1970s. The most famous example is the GermanEnigma machine, whose messages were deciphered by the Allies during World War II, producing intelligence code-named Ultra.

The primary component is a set of rotors, also termed wheels or drums, which are rotating disks with an array of electrical contacts on either side. The wiring between the contacts implements a fixed substitution of letters, replacing them in some complex fashion. On its own, this would offer little security; however, after encrypting each letter, the rotors advance positions, changing the substitution. By this means, a rotor machine produces a complex polyalphabetic substitution cipher, which changes with every keypress.

In classical cryptography, one of the earliest encryption methods was the simple substitution cipher, where letters in a message were systematically replaced using some secret scheme. Monoalphabetic substitution ciphers used only a single replacement scheme — sometimes termed an "alphabet"; this could be easily broken, for example, by using frequency analysis. Somewhat more secure were schemes involving multiple alphabets, polyalphabetic ciphers. Because such schemes were implemented by hand, only a handful of different alphabets could be used; anything more complex would be impractical. However, using only a few alphabets left the ciphers vulnerable to attack. The invention of rotor machines mechanised polyalphabetic encryption, providing a practical way to use a much larger number of alphabets.

The earliest cryptanalytic technique was frequency analysis, in which letter patterns unique to every language could be used to discover information about the substitution alphabet(s) in use in a mono-alphabetic substitution cipher. For instance, in English, the plaintext letters E, T, A, O, I, N and S, are usually easy to identify in ciphertext on the basis that since they are very frequent (see ETAOIN SHRDLU), their corresponding ciphertext letters will also be as frequent. In addition, bigram combinations like NG, ST and others are also very frequent, while others are rare indeed (Q followed by anything other than U for instance). The simplest frequency analysis relies on one ciphertext letter always being substituted for a plaintext letter in the cipher: if this is not the case, deciphering the message is more difficult. For many years, cryptographers attempted to hide the telltale frequencies by using several different substitutions for common letters, but this technique was unable to fully hide patterns in the substitutions for plaintext letters. Such schemes were being widely broken by the 16th century.

In the mid-15th century, a new technique was invented by Alberti, now known generally as polyalphabetic ciphers, which recognised the virtue of using more than a single substitution alphabet; he also invented a simple technique for "creating" a multitude of substitution patterns for use in a message. Two parties exchanged a small amount of information (referred to as the key) and used it to create many substitution alphabets, and so many different substitutions for each plaintext letter over the course of a single plaintext. The idea is simple and effective, but proved more difficult to use than might have been expected. Many ciphers were only partial implementations of Alberti's, and so were easier to break than they might have been (e.g. the Vigenère cipher).

Not until the 1840s (Babbage) was any technique known which could reliably break any of the polyalphabetic ciphers. His technique also looked for repeating patterns in the ciphertext, which provide clues about the length of the key. Once this is known, the message essentially becomes a series of messages, each as long as the length of the key, to which normal frequency analysis can be applied. Charles Babbage, Friedrich Kasiski, and William F. Friedman are among those who did most to develop these techniques.

Cipher designers tried to get users to use a different substitution for every letter, but this usually meant a very long key, which was a problem in several ways. A long key takes longer to convey (securely) to the parties who need it, and so mistakes are more likely in key distribution. Also, many users do not have the patience to carry out lengthy, letter perfect evolutions, and certainly not under time pressure or battlefield stress. The 'ultimate' cipher of this type would be one in which such a 'long' key could be generated from a simple pattern (ideally automatically), producing a cipher in which there are so many substitution alphabets that frequency counting and statistical attacks would be effectively impossible. Enigma, and the rotor machines generally, were just what was needed since they were seriously polyalphabetic, using a different substitution alphabet for each letter of plaintext, and automatic, requiring no extraordinary abilities from their users. Their messages were, generally, much harder to break than any previous ciphers.

It is relatively straightforward to create a machine for performing simple substitution. We can consider an electrical system with 26 switches attached to 26 light bulbs; when you turn on any one of the switches, one of the light bulbs is illuminated. If each switch is operated by a key on a typewriter, and the bulbs are labelled with letters, then such a system can be used for encryption by choosing the wiring between the keys and the bulb: for example, typing the letter A would make the bulb labelled Q light up. However, the wiring is fixed, providing little security.

Rotor machines build on this idea by, in effect, changing the wiring with each key stroke. The wiring is placed inside a rotor, and then rotated with a gear every time a letter was pressed. So while pressing A the first time might generate a Q, the next time it might generate a J. Every letter pressed on the keyboard would spin the rotor and get a new substitution, implementing a polyalphabetic substitution cipher.

Depending on the size of the rotor, this may or may not be more secure than hand ciphers. If the rotor has only 26 positions on it, one for each letter, then all messages will have a (repeating) key 26 letters long. Although the key itself (mostly hidden in the wiring of the rotor) might not be known, the methods for attacking these types of ciphers don't need that information. So while such a single rotor machine is certainly easy to use, it's no more secure than any other partial polyalphabetic cipher system.

But this is easy to correct. Simply stack more rotors next to each other, and gear them together. After the first rotor spins "all the way", make the rotor beside it spin one position. Now you would have to type 26 × 26 = 676 letters (for the Latin alphabet) before the key repeats, and yet it still only requires you to communicate a key of two letters/numbers to set things up. If a key of 676 length is not long enough, another rotor can be added, resulting in a period 17,576 letters long.

In order to be as easy to decipher as encipher, some rotor machines, most notably the Enigma machine, were designed to be symmetrical, i.e., encrypting twice with the same settings recovers the original message (see involution).

The concept of a rotor machine occurred to a number of inventors independently at a similar time.

In 2003, it emerged that the first inventors were two Dutch naval officers, Theo A. van Hengel (1875 – 1939) and R. P. C. Spengler (1875 – 1955) in 1915 (De Leeuw, 2003). Previously, the invention had been ascribed to four inventors working independently and at much the same time: Edward Hebern, Arvid Damm, Hugo Koch and Arthur Scherbius.

In the United StatesEdward Hugh Hebern built a rotor machine using a single rotor in 1917. He became convinced he would get rich selling such a system to the military, the Hebern Rotor Machine, and produced a series of different machines with one to five rotors. His success was limited, however, and he went bankrupt in the 1920s. He sold a small number of machines to the US Navy in 1931.

In Hebern's machines the rotors could be opened up and the wiring changed in a few minutes, so a single mass-produced system could be sold to a number of users who would then produce their own rotor keying. Decryption consisted of taking out the rotor(s) and turning them around to reverse the circuitry. Unknown to Hebern, William F. Friedman of the US Army's SIS promptly demonstrated a flaw in the system that allowed the ciphers from it, and from any machine with similar design features, to be cracked with enough work.

Another early rotor machine inventor was Dutchman Hugo Koch, who filed a patent on a rotor machine in 1919. At about the same time in Sweden, Arvid Gerhard Damm invented and patented another rotor design. However, the rotor machine was ultimately made famous by Arthur Scherbius, who filed a rotor machine patent in 1918. Scherbius later went on to design and market the Enigma machine.

The most widely known rotor cipher device is the German Enigma machine used during World War II, of which there were a number of variants.

The standard Enigma model, Enigma I, used three rotors. At the end of the stack of rotors was an additional, non-rotating disk, the "reflector," wired such that the input was connected electrically back out to another contact on the same side and thus was "reflected" back through the three-rotor stack to produce the ciphertext.

When current was sent into most other rotor cipher machines, it would travel through the rotors and out the other side to the lamps. In the Enigma, however, it was "reflected" back through the disks before going to the lamps. The advantage of this was that there was nothing that had to be done to the setup in order to decipher a message; the machine was "symmetrical" at all times.

The Enigma's reflector guaranteed that no letter could be enciphered as itself, so an A could never turn back into an A. This helped Polish and, later, British efforts to break the cipher. (SeeCryptanalysis of the Enigma.)

Scherbius joined forces with a mechanical engineer named Ritter and formed Chiffriermaschinen AG in Berlin before demonstrating Enigma to the public in Bern in 1923, and then in 1924 at the World Postal Congress in Stockholm. In 1927 Scherbius bought Koch's patents, and in 1928 they added a plugboard, essentially a non-rotating manually rewireable fourth rotor, on the front of the machine. After the death of Scherbius in 1929, Willi Korn was in charge of further technical development of Enigma.

As with other early rotor machine efforts, Scherbius had limited commercial success. However, the German armed forces, responding in part to revelations that their codes had been broken during World War I, adopted the Enigma to secure their communications. The Reichsmarine adopted Enigma in 1926, and the German Army began to use a different variant around 1928.

The Enigma (in several variants) was the rotor machine that Scherbius's company and its successor, Heimsoth & Reinke, supplied to the German military and to such agencies as the Nazi party security organization, the SD.

The Poles broke the German Army Enigma beginning in December 1932, not long after it had been put into service. On July 25, 1939, just five weeks before Hitler's invasion of Poland, the Polish General Staff's Cipher Bureau shared its Enigma-decryption methods and equipment with the French and British as the Poles' contribution to the common defense against Nazi Germany. Dilly Knox had already broken Spanish Nationalist messages on a commercial Enigma machine in 1937 during the Spanish Civil War.

A few months later, using the Polish techniques, the British began reading Enigma ciphers in collaboration with Polish Cipher Bureau cryptologists who had escaped Poland, overrun by the Germans, to reach Paris. The Poles continued breaking German Army Enigma — along with Luftwaffe Enigma traffic — until work at Station PC Bruno in France was shut down by the German invasion of May–June 1940.

The British continued breaking Enigma and, assisted eventually by the United States, extended the work to German Naval Enigma traffic (which the Poles had been reading before the war), most especially to and from U-boats during the Battle of the Atlantic.

The rotor stack from an Enigma rotor machine. The rotors of this machine contain 26 contacts.

During World War II (WWII), both the Germans and Allies developed additional rotor machines. The Germans used the Lorenz SZ 40/42 and Siemens and Halske T52 machines to encipher teleprinter traffic which used the Baudot code; this traffic was known as Fish to the Allies. The Allies developed the Typex (British) and the SIGABA (American). During the War the Swiss began development on an Enigma improvement which became the NEMA machine which was put into service after WWII. There was even a Japanese developed variant of the Enigma in which the rotors sat horizontally; it was apparently never put into service. The Japanese PURPLE machine was not a rotor machine, being built around electrical stepping switches, but was conceptually similar.

Rotor machines continued to be used even in the computer age. The KL-7 (ADONIS), an encryption machine with 8 rotors, was widely used by the U.S. and its allies from the 1950s until the 1980s. The last Canadian message encrypted with a KL-7 was sent on June 30, 1983. The Soviet Union and its allies used a 10-rotor machine called Fialka well into the 1970s.

Typex was a printing rotor machine used by the United Kingdom and its Commonwealth, and was based on the Enigma patents.

A unique rotor machine was constructed in 2002 by Netherlands-based Tatjana van Vark. This unusual device is inspired by Enigma, but makes use of 40-point rotors, allowing letters, numbers and some punctuation; each rotor contains 509 parts.

A software implementation of a rotor machine was used in the crypt command that was part of early UNIX operating systems. It was among the first software programs to run afoul of U.S. export regulations which classified cryptographic implementations as munitions.